public function testHandle()
{
DAV::$REGISTRY->setResourceClass('DAVACL_Test_Resource');
$readPriv = new DAVACL_Element_supported_privilege('DAV: read', false, 'Read permissions');
$allPriv = new DAVACL_Element_supported_privilege('DAV: all', false, 'Read permissions');
$allPriv->add_supported_privilege($readPriv);
DAV::$ACLPROVIDER->setSupportedPrivilegeSet(array($allPriv));
// First we expect the output of a succesful call to DAVACL_Test_Resource::set_acl() and the an error that not all privileges are supported
$this->expectOutputString(<<<EOS
Array
(
[0] => DAVACL_Element_ace Object
(
[principal] => DAV: all
[invert] =>
[deny] =>
[privileges] => Array
(
[0] => DAV: read
)
[protected] =>
[inherited] =>
)
[1] => DAVACL_Element_ace Object
(
[principal] => /path/to/user
[invert] =>
[deny] =>
[privileges] => Array
(
[0] => DAV: all
)
[protected] =>
[inherited] =>
)
)
Content-Type: application/xml; charset="UTF-8"
HTTP/1.1 403 Forbidden
<?xml version="1.0" encoding="utf-8"?>
<D:error xmlns:D="DAV:">
<D:not-supported-privilege/>
</D:error>
EOS
);
$this->obj->handleRequest();
// Not supported privileges should trigger an error
DAV::$ACLPROVIDER->setSupportedPrivilegeSet(array());
$this->obj->handleRequest();
}
public function user_prop_supported_privilege_set()
{
static $retval = null;
if (!is_null($retval)) {
return $retval;
}
$read_content = new DAVACL_Element_supported_privilege(BeeHub::PRIV_READ_CONTENT, true, 'Read the content');
$read_acl = new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ_ACL, true, 'Read ACL');
$read_cups = new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ_CURRENT_USER_PRIVILEGE_SET, true, 'Read current user privilege set');
$write_content = new DAVACL_Element_supported_privilege(DAVACL::PRIV_WRITE_CONTENT, true, 'Write the content');
$unbind = new DAVACL_Element_supported_privilege(DAVACL::PRIV_UNBIND, false, 'Remove child resources from collections (this also requires write privilege on resource itself)');
$read = new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ, false, 'Read');
$write = new DAVACL_Element_supported_privilege(DAVACL::PRIV_WRITE, false, 'Write');
$write_acl = new DAVACL_Element_supported_privilege(DAVACL::PRIV_WRITE_ACL, false, 'Manage the ACL');
$retval = new DAVACL_Element_supported_privilege(DAVACL::PRIV_ALL, false, 'All');
$read->add_supported_privilege($read_content);
$read->add_supported_privilege($read_acl);
$read->add_supported_privilege($read_cups);
$write->add_supported_privilege($write_content);
$write->add_supported_privilege($unbind);
$retval->add_supported_privilege($read)->add_supported_privilege($write)->add_supported_privilege($write_acl);
$retval = array($retval);
return $retval;
}
/**
* Prepares a mocked DAVACL_Resource object which is needed by multiple tests (but not all)
*
* @return DAVACL_Resource The mocked object
*/
private function prepareObjWithAcl()
{
$_SERVER['REQUEST_URI'] = '/path/to/principal';
$allAce = new DAVACL_Element_supported_privilege(DAVACL::PRIV_ALL, false, '');
$allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_BIND, false, ''));
$allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ, false, ''));
$allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ_ACL, false, ''));
$allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ_CURRENT_USER_PRIVILEGE_SET, false, ''));
$allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_UNBIND, false, ''));
$allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_UNLOCK, false, ''));
$allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_WRITE_CONTENT, false, ''));
$supportedPrivs = array($allAce);
DAV::$ACLPROVIDER = new DAVACL_Test_ACL_Provider();
DAV::$ACLPROVIDER->setSupportedPrivilegeSet($supportedPrivs);
$acl = array(new DAVACL_Element_ace('/path/to/principal', true, array(DAVACL::PRIV_BIND), false), new DAVACL_Element_ace('/path/to/other/principal', false, array(DAVACL::PRIV_READ), false), new DAVACL_Element_ace('/path/to/other/principal', true, array(DAVACL::PRIV_READ_ACL), false), new DAVACL_Element_ace(DAVACL::PRINCIPAL_ALL, false, array(DAVACL::PRIV_READ_CURRENT_USER_PRIVILEGE_SET), true), new DAVACL_Element_ace(DAVACL::PRINCIPAL_AUTHENTICATED, false, array(DAVACL::PRIV_UNBIND), false), new DAVACL_Element_ace(DAVACL::PRINCIPAL_UNAUTHENTICATED, false, array(DAVACL::PRIV_UNLOCK), false), new DAVACL_Element_ace(DAVACL::PRINCIPAL_SELF, false, array(DAVACL::PRIV_WRITE_CONTENT), false));
$obj = $this->getMock('DAVACL_Resource', array('user_prop_acl', 'user_prop_current_user_principal', 'user_prop_supported_privilege_set'), array($_SERVER['REQUEST_URI']));
$obj->expects($this->any())->method('user_prop_acl')->will($this->returnValue($acl));
$obj->expects($this->any())->method('user_prop_current_user_principal')->will($this->returnValue('/path/to/principal'));
$obj->expects($this->any())->method('user_prop_supported_privilege_set')->will($this->returnValue($supportedPrivs));
return $obj;
}
/**
* Checks the validity of the ACL and sets it on the resource
*
* @param DAVACL_Resource $resource
* @return void
* @throws DAV_Status
*/
protected function handle($resource)
{
$resource->assertLock();
if (!$resource instanceof DAVACL_Resource) {
throw new DAV_Status(DAV::HTTP_METHOD_NOT_ALLOWED);
}
$supported = $resource->user_prop_supported_privilege_set();
$supported = DAVACL_Element_supported_privilege::flatten($supported);
foreach ($this->aces as $ace) {
foreach ($ace->privileges as $privilege) {
// Check if the privilege is supported...
if (!isset($supported[$privilege])) {
throw new DAV_Status(DAV::HTTP_FORBIDDEN, DAV::COND_NOT_SUPPORTED_PRIVILEGE);
} elseif ($supported[$privilege]['abstract']) {
throw new DAV_Status(DAV::HTTP_FORBIDDEN, DAV::COND_NO_ABSTRACT);
}
}
if ($ace->principal instanceof DAV_Element_href) {
$path = $ace->principal->URIs[0];
if (!($principal = DAV::$REGISTRY->resource($path)) || !$principal instanceof DAVACL_Principal) {
throw new DAV_Status(DAV::HTTP_FORBIDDEN, DAV::COND_RECOGNIZED_PRINCIPAL);
}
}
}
//TODO: enforce ACL restrictions
$resource->set_acl($this->aces);
}
public function testFlatten()
{
$priv2 = new DAVACL_Element_supported_privilege('NS1 privilege2', false, 'Can I do something else?');
$this->obj->add_supported_privilege($priv2);
$expected = array('NS1 privilege2' => array('children' => array('NS1 privilege2'), 'abstract' => false), 'NS1 privilege1' => array('children' => array('NS1 privilege1', 'NS1 privilege2'), 'abstract' => true));
$this->assertSame($expected, DAVACL_Element_supported_privilege::flatten(array($this->obj)), 'DAVACL_Element_supported_privilege::flatten() should return a correctly flattened array');
}
